Re: Strange tripwire behaviour

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 30 March 2005 14:18, Scot L. Harris wrote:
> On Wed, 2005-03-30 at 04:55, Tony Molloy wrote:
> > Hi All,
> >
> > I run tripwire each night on all my servers to check for file
> > changes. This morning I noticed something strange. On this server
> > tripwire was installed on 26th Nov last.
> >
> >     [root@keano ~]# rpm -qa --last | grep tripwire
> >     tripwire-2.3.1-18.fdr.3.1                     Fri Nov 26 13:31:50
> > 2004
> >
> > Now for some reason when it was run last night the following changes
> > had occured to the tripwire executable. Changes to the Inode Number,
> > the block count, the CRC32 and MD5 checksums.
> >
> >
> > Modified object name:  /usr/sbin/tripwire
> >
> > Now a similar change occured on all 20 of my servers last night so I
> > don't think it was a compromise. At least I hope not.
> >
> > Any ideas.
>
> Most likely prelink ran and modified the binaries.  First time I had
> tripwire reported like this I was in a mild panic thinking the worse.
> But it turned out to be prelink doing its thing via the cron job.
>
> --

Scott, 

Thank's I hadn't thought of that. As you said I was in a mild panic first 
but then said a hacker couldn't have got at all the servers which are on 
different vlans. Funny that it never happened before though.

Tony

-- 


Tony Molloy.

Dept. of Comp. Sci.
University of Limerick


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux